Ejabberd Crutches protection

Prologue. I did not dare to write this article for a long time. Because even without being a programmer, I understand that the above code can be simpler and more elegant. But I hope that the article will help those who are faced with the same dilemma, and maybe encourage someone to write a more decent script. So, in one city, in some company a jabber server appeared ...

The service turned out to be necessary and in demand, but the trouble is, many users work remotely and not everyone has a VPN. Of course, opening ports out is not a problem, but since jabber is tied to the mail LDAP, the issue of protection takes on a critical degree. Having elapsed the ejabberd config and seeing that there is no protection provided, I thought: “Oh, what a nonsense. Now we set up fail2ban. ”And broke off. Neither about ejabberd, nor about openfire, nor about any other xmpp, fail2ban was not up to date. “Garbage question!” - I thought again. "Now we set up." And it is useful to watch the ejabberd log. And then the complexity of the problem stood before me in full growth. The impression was that the service log was specially created so that fail2ban could not be configured for it. Roughly speaking, the message about a failed password entry consists of four lines:
1. = Date, time ====
2. Connection message from ip address
3. = Date, time ====
4. Error message.
Moreover, comma O_o is used as a separator in the ip address.
And fail2ban analyzes logs on one line. And in the line there should be at least two values ​​- the attacker's ip address and time. Googling for the “ejabberd protection” query has given up bits of useful information. There are two modules that can help in this situation here and here. But! I have not mastered ejabberd enough to be able to install them. The first requires the installation of patches. And the second is installed, but does not write anything to the log. Apparently also need a patch. In the end, "niasilil", forgive my French and sad.

However, if the mountain does not go to Mohammed, then the mountain to Mohammed is carried. Let's write a script that reads the jabber log and creates a sample with erroneous values. What I think about my creation, I wrote at the very beginning. And the code looks like this.

#!/bin/bash cp /dev/null /var/log/ejabberd/tofail.log #  ,       log="/var/log/ejabberd/ejabberd.log" #  ejabberd itog="/var/log/ejabberd/tofail.log" #  ejabberd shab='I(.*) : (.*) Failed authentication for \w*@\w*.\w*.\w*' i="0" cat $log | while read line do dan[$i]="$line" if [[ ${dan[$i]} =~ $shab ]]; then #   ... i=`expr $i - 4` vrem="${dan[$i]}" # ...  i=`expr $i + 1` con="${dan[$i]}" # ... i=`expr $i + 3` fai="${dan[$i]}" # ... echo "$vrem $con $fai" >>$itog #    fi i=`expr $i + 1` done sed -i 's/,/./g' "$itog" #     

')
What the script does. Looks at ejabberd.log, when finding a line with a message about entering the wrong password, enters the previous two lines with time and ip address of the connection in variables. After that, all three values ​​are written to the log.

After that you need to prepare fail2ban In /etc/fail2ban/filter.d/, create an ejabberd.conf file with the following contents:

 # Fail2Ban configuration file [Definition] failregex = Accepted connection \{\{<HOST>\} ignoreregex = 

You can check that the filter is working with the command fail2ban-regex /var/log/ejabberd/tofail.log /etc/fail2ban/filter.d/ejabberd.conf

In jail.cfg write

 [ejabberd] enabled = true port = 5222 filter = ejabberd action = iptables-allports[name=EJABBERD, protocol=all] logpath = /var/log/ejabberd/tofail.log maxretry = 3 

Further. This creation is thoughtful and works for a long time. In order not to load the system once again, we will run the script only when the size of the ejabberd log changes. Therefore, we hang in the crontab, say the files filesize.sh with the following contents:

 #!/bin/bash logf="/var/log/ejabberd/ejabberd.log" filesize="/etc/ejabberd/size.txt" live=`stat -c%s $logf` cat $filesize |while read line do if [ $live -ne $line ] then /etc/ejabberd/expres.sh fi done echo `stat -c%s $logf` >$filesize 

I run once a minute. The frequency of updates you have, choose for yourself.

Here actually with such crutches, jabber was released outside. There are unsuccessful trainers, but for now, the employees themselves are mistaken when entering the password. In the near future, it will be necessary to test how much this whole system will cope with jBrute and jbbl. Any comments about the optimization of the code I will accept with great gratitude and post it after verification.